Rootmanual:ldap: Skillnad mellan sidversioner

Från Lysators datorhandbok, den ultimata referensen.
Hoppa till navigering Hoppa till sök
 
(80 mellanliggande sidversioner av 2 användare visas inte)
Rad 8: Rad 8:


https://wiki.debian.org/LDAP/MigrationTools
https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

= Before you start =

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

= Create certs and keytabs =

== Certficates ==

First, generate official certificates.
There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

== Kerberos ==

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

export KRB5_KTNAME=/etc/ldap/ldap.keytab


= Bootstrap slapd =
= Bootstrap slapd =
Rad 38: Rad 81:
<date> ldap slapd[XXX]: slapd starting
<date> ldap slapd[XXX]: slapd starting
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.
<data> ldap slapd[XXX]: Starting OpenLDAP: slapd.

= Purgin the database =

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*


= Configure slapd =
= Configure slapd =
Rad 53: Rad 104:


ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

== Configure more extensive indexing ==
== Configure debug logging ==

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

== Configure more extensive indexing (To be removed)==


Configure slapd to use more indexing to improve performance.
Configure slapd to use more indexing to improve performance.
Put this into indexing.ldif
Put this into indexing.ldif


dn: olcDatabase={1}hdb,cn=config
dn: olcDatabase={1}mdb,cn=config
changetype: modify
changetype: modify
add: olcDbIndex
add: olcDbIndex
Rad 91: Rad 168:
ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif


== Configure SASL/SSL ==
== Import NIS User schema ==


Import nis schema
Put the following in ldif files and apply.
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif


Verify that you can find posixAccount
Only use tls.


ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount
dn: olcDatabase={1}mdb,cn=config

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

== Import AUTOFS schema ==


Import autofs schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount


Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using
ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output
dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

== Kerberos Auth ==

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

'''NOTE''': Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
changetype: modify
add: olcAuthzRegexp
replace: olcSecurity
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se
olcSecurity: tls=1
dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se
dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running


ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp
Specify certificate.

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se


ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

== Configure SASL/SSL ==

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)


dn: cn=config
dn: cn=config
Rad 116: Rad 289:
-
-
add: olcTLSVerifyClient
add: olcTLSVerifyClient
olcTLSVerifyClient: never
olcTLSVerifyClient: allow
Add using:


ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif
(Also install the certificates.)


Should output:
== Import NIS User schema ==


SASL/EXTERNAL authentication started
Import nis schema
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
SASL SSF: 0
modifying entry "cn=config"


Check it using:
Verify that you can find posixAccount


ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient


Should output:
== Import AUTOFS schema ==


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow


Check that admin can login using tls:
Import autofs schema

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif
ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1


== Allow chsh, chfn and root to modify anything ==

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
by self write
by * read
olcAccess: {1}to *
by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage
by * read

Then run the following:

ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif


It should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess


It should print:
TODO: Make sure this file is installed by puppet


SASL/EXTERNAL authentication started
== Allow chsh and chfn ==
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}mdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=loginShell,gecos by self write by * read
olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi
d & user/uid" manage by * read
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1


= Importing data from NIS =
= Importing data from NIS =
Rad 143: Rad 420:
* Import from nis scripts.
* Import from nis scripts.
* Autofs conversion.
* Autofs conversion.
* Character conversion.


== Add uid counter ==


Place the following in nextUid.ldif:
=== Add top tree nodes in ldap database ===


dn: cn=nextUid,dc=lysator,dc=liu,dc=se
Before we import data into the database, some structures must be constructed inside the database.
changetype: add
objectClass: top
objectClass: organizationalRole
objectClass: uidObject
cn: nextUid
uid: 10000


Run:
TODO


ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif
=== Configure migrationtools ===

Should print:

TODO

To verify run:

ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)"

Should print:

SASL/GSSAPI authentication started
SASL username: net4all@LYSATOR.LIU.SE
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=lysator,dc=liu,dc=se> with scope subtree
# filter: (objectClass=uidObject)
# requesting: ALL
#
# nextUid, lysator.liu.se
dn: cn=nextUid,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: organizationalRole
objectClass: uidObject
cn: nextUid
uid: 10000
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1

== Character conversion ==

Check encoding from output when converting from nis to ldap
file -bi <file>

Convert to utf-8
iconv -f <current-encoding> -t utf-8 <file> > <file>-utf8.ldif

== Check top tree nodes in ldap database ==

Before we import data into the database, we should verify that some structures exist.
Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

== Configure migrationtools ==


Run this:
Run this:
Rad 171: Rad 522:


$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "[["dc=lysator,dc=liu,dc=se"]]";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

== Importing into ldap database ==

Remember to convert the output of the migration scripts.
Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

=== Migrating autofs ===

'''NOTE:''' Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

'''NOTE:''' Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted:
auto.master
auto.home
auto.pkg
auto.lysator

==== auto.master ====
Add
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

==== Indirect mounts ====
Next is to add entries for /home, /mp and /pkg
Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"
dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.<file>
objectClass: top
objectClass: automountMap

==== Entry Template ====

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

= Errors & Hell =

=== Implementation Specific Error (80) ===
This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet.
Implementation Specific Error seems to be a catch all kind of error.\

=== Database config change doesn't take effetct ===
Try restarting slapd. Some changes doesn't take effect immediately.

Nuvarande version från 9 mars 2017 kl. 19.22

Useful documentation

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

Before you start

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

Create certs and keytabs

Certficates

First, generate official certificates. There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

Kerberos

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

 export KRB5_KTNAME=/etc/ldap/ldap.keytab

Bootstrap slapd

First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
 ldap slapd[XXX]: Starting OpenLDAP: slapd.

Purgin the database

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

Configure slapd

The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Configure debug logging

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

Configure more extensive indexing (To be removed)

Configure slapd to use more indexing to improve performance. Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

Import NIS User schema

Import nis schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

 ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

Import AUTOFS schema

Import autofs schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount


Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using

ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using

ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Kerberos Auth

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

NOTE: Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se


ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

Configure SASL/SSL

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif 

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1


Allow chsh, chfn and root to modify anything

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
  by self write
  by * read
olcAccess: {1}to *
  by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage
  by * read

Then run the following:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif


It should print:

 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

 ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess

It should print:

 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 # extended LDIF
 #
 # LDAPv3
 # base <olcDatabase={1}mdb,cn=config> with scope subtree
 # filter: (objectclass=*)
 # requesting: olcAccess 
 #
 # {1}mdb, config
 dn: olcDatabase={1}mdb,cn=config
 olcAccess: {0}to attrs=loginShell,gecos by self write by * read
 olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi
  d & user/uid" manage by * read
 # search result
 search: 2
 result: 0 Success
 # numResponses: 2
 # numEntries: 1

Importing data from NIS

  • Import from nis scripts.
  • Autofs conversion.

Add uid counter

Place the following in nextUid.ldif:

 dn: cn=nextUid,dc=lysator,dc=liu,dc=se
 changetype: add
 objectClass: top
 objectClass: organizationalRole
 objectClass: uidObject
 cn: nextUid
 uid: 10000

Run:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif

Should print:

 TODO

To verify run:

 ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)"

Should print:

 SASL/GSSAPI authentication started
 SASL username: net4all@LYSATOR.LIU.SE
 SASL SSF: 56
 SASL data security layer installed.
 # extended LDIF
 #
 # LDAPv3
 # base <dc=lysator,dc=liu,dc=se> with scope subtree
 # filter: (objectClass=uidObject)
 # requesting: ALL
 #
 # nextUid, lysator.liu.se
 dn: cn=nextUid,dc=lysator,dc=liu,dc=se
 objectClass: top
 objectClass: organizationalRole
 objectClass: uidObject
 cn: nextUid
 uid: 10000
 # search result
 search: 5
 result: 0 Success
 # numResponses: 2
 # numEntries: 1

Character conversion

Check encoding from output when converting from nis to ldap

 file -bi <file>

Convert to utf-8

 iconv -f <current-encoding> -t utf-8  <file> > <file>-utf8.ldif

Check top tree nodes in ldap database

Before we import data into the database, we should verify that some structures exist. Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

Configure migrationtools

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

Importing into ldap database

Remember to convert the output of the migration scripts. Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

Migrating autofs

NOTE: Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

NOTE: Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted: auto.master auto.home auto.pkg auto.lysator

auto.master

Add

dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

Indirect mounts

Next is to add entries for /home, /mp and /pkg Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"

 dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
 ou: auto.<file>
 objectClass: top
 objectClass: automountMap

Entry Template

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

Errors & Hell

Implementation Specific Error (80)

This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.\

Database config change doesn't take effetct

Try restarting slapd. Some changes doesn't take effect immediately.